Blocking WordPress XMLRPC brute-force amplification attacks with NinjaFirewall.



October 15, 2015 Update: Starting from version 1.7, NinjaFirewall WP/WP+ includes a protection against such attacks which can be enabled from the "Firewall Policies > WordPress XML-RPC API" menu:

Original article

Although NinjaFirewall WP/WP+ Edition already includes different protections against brute-force attacks targeting WordPress XMLRPC API, you can still use the .htninja file to setup your own custom protection.

The .htninja lets you prepend your own PHP code to the firewall. This is a very powerful feature, and there is almost no limit to what you can do: add your own security rules, manipulated HTTP requests, cookies, headers, variables etc. It will be processed before WordPress and all its plugins are loaded.

In this example, we will block most of those brute-force amplification attacks that we have seen lately.
Because hackers make use of the system.multicall method, we will parse the raw HTTP POST data sent to the xmlrpc.php script and reject it only if that method is found. Other requests/methods will be allowed:

 | NinjaFirewall optional configuration file                         |
 |                                                                   |
 | See: |

// Look for a POST request sent to the XMLRPC script:
if ( $_SERVER['REQUEST_METHOD'] == 'POST' && strpos($_SERVER['SCRIPT_NAME'], '/xmlrpc.php') !== FALSE ) {
   // Get the raw POST data:
   $RAW_DATA = file_get_contents( 'php://input' );
   // Search for 'system.multicall' substring:
   if ( strpos($RAW_DATA, 'system.multicall') !== FALSE ) {
      // Reject it with a 404 Not Found and quit:
      header('HTTP/1.1 404 Not Found');
      header('Status: 404 Not Found');
      // Quit:


A powerful antivirus
scanner for WordPress.


Website Monitoring
for just .99 per month.


Web Application Firewall
for PHP and WordPress.


Malware removal
and hacking recovery.

Table of contents